Date: Sun, 16 Feb 2003 21:57:41 -0800 From: David Schultz <dschultz@uclink.Berkeley.EDU> To: Kris Kennaway <kris@obsecurity.org> Cc: "Andrey A. Chernov" <ache@FreeBSD.ORG>, current@FreeBSD.ORG Subject: Re: cvs commit: src/lib/libc/stdlib rand.c Message-ID: <20030217055741.GA6011@HAL9000.homeunix.com> In-Reply-To: <20030217045729.GA68471@rot13.obsecurity.org> References: <200302170352.h1H3qawJ062671@repoman.freebsd.org> <20030217045729.GA68471@rot13.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus spake Kris Kennaway <kris@obsecurity.org>: > I think we should commit this patch (to -current) and fix all the > problems that pop up. For example, it's used in awk (which started > this set of changes), and in some of the XFree86 libraries. ... > +__warn_references(rand_r, > + "warning: rand_r() does not produce high-quality random numbers and should not generally be used"); Many programmers who use rand() are aware that it isn't very good, but don't care for their particular application. For instance, for games or for randomized backoff in network protocols, you might just want a sequence of numbers that looks kinda random, and you don't care that there happens to be a pattern in the lowest-order bits that you see only if you look carefully. rand() isn't like gets() because it's nearly impossible to write a robust program using gets(). It might make sense to put in the warning just to check whether someone used rand() when they really wanted cryptographic-quality randomness, but people would probably get annoyed if the next release of FreeBSD nagged them about every use of rand(). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030217055741.GA6011>